@@ -305,7 +305,13 @@ User identity verification, authorization, and the maintenance of a user is need
Whyile it is possible to maintain the identities of all of available intranet services by hand, this is often impractical even with a moderate pool of users. A contemporary enterprise NMS deployment will instead rely on an Identity Provider (IdP) for most or all of its services. IdP's may be part of an NMS or seperate, decoupled from the NMS. Likewise IdP's can be implemented locally or as a remote service, including as an RDPS. In all varieties the nature of the IdP deplyed to the netowrk is relevant to this document as it is a major risk factor, especially if the NMS product does not support a relevant integration methods or IdP technique.
Whyile it is possible to maintain the identities of all of available intranet services by hand, this is often impractical even with a moderate pool of users. A contemporary enterprise NMS deployment will instead rely on an Identity Provider (IdP) for most or all of its services. IdP's may be part of an NMS or seperate, decoupled from the NMS. Likewise IdP's can be implemented locally or as a remote service, including as an RDPS. In all varieties the nature of the IdP deplyed to the netowrk is relevant to this document as it is a major risk factor, especially if the NMS product does not support a relevant integration methods or IdP technique.
> NOTE: Again this use case seems to focus on one function (IdP) rather then on the operational environment and users. It is also not strcutured like the above use cases and finally, migh tbenefit from being broken down into higher and lower risk (smaller/larger or low security data/high security data) use cases.
The increasement in the importance of the operational context is linear with the accuracy how identity is managed.
A larger enterprise has more staff, roles, job and responsibility rotation, required services, data classes, levels of classified information, and working sites.
These factors contribute to the multiple different risks that require more elaborate management structures.
A small business could handle the credential cleanup of an old employee by hand, but a large enterprise might see value in admin credential management services.
The describe enterprise within this context can be a medical facility, which handles patient records or a bank, that upholds the nations finances.
It is not for the NMS to care what the Service Requesting User does with the network, but to ensure, that the system has enough features that matches the operational needs.
#### 4.4.2.2 Telecom network
#### 4.4.2.2 Telecom network
@@ -320,7 +326,6 @@ Telecom networks are modlled by division into northbound and southbound abstract
In telecom deployments of NMS it is common to provide an in-house Public Key Infrastructure (PKI), that declares it's own certificate authority (CA) or authorities deployed to the managed machines within the network. The number of these managed machines, number of CA's and how the CA's are used is dependent on design of the network Alternatively, even at telecom scale, and NMS can even provide its own certifactes and form an independent and segregated trust ring.
In telecom deployments of NMS it is common to provide an in-house Public Key Infrastructure (PKI), that declares it's own certificate authority (CA) or authorities deployed to the managed machines within the network. The number of these managed machines, number of CA's and how the CA's are used is dependent on design of the network Alternatively, even at telecom scale, and NMS can even provide its own certifactes and form an independent and segregated trust ring.
## 4.5 Risk Factors
## 4.5 Risk Factors
To address the risks of an NMS product prior a manufacturer's placing it on the market this standard encourages the manufacturer to threat model and risk profile of the use of the product, including its foreseeable uses, and considering the interplay between:
To address the risks of an NMS product prior a manufacturer's placing it on the market this standard encourages the manufacturer to threat model and risk profile of the use of the product, including its foreseeable uses, and considering the interplay between:
@@ -692,6 +697,8 @@ In addition, the managed device can have a configuration port, management API, f
<mark>TODO: define usage of machine credentials better, consider the cli over ssh controlled scenario</mark>
<mark>TODO: define usage of machine credentials better, consider the cli over ssh controlled scenario</mark>
<mark>TODO: evaluate if a large enterprise needs to have 3rd. party IdP as an integrateable option</mark>
### 5.2.7 Remote Data Processing Systems
### 5.2.7 Remote Data Processing Systems
<mark>AMS: August and Daniel are working on this. Skip for now.</mark>
<mark>AMS: August and Daniel are working on this. Skip for now.</mark>
